Since the People’s Republic of China was founded in 1949, the US – China relationship has been characterized by substantial areas of conflict, confrontation, and strategic mistrust.

By mid-2015, many leading US specialists on China described a rapid deterioration in bilateral ties, which could be described as an across-the-board contest; US analysts now call for a new grand strategy toward China to balance its rising power.

Unfortunately, this pattern of growing tensions applies just as much to cyberspace; indeed, cyberspace has become one of the most contentious arenas.

Tensions

By some accounts, tension in this area is one of the main sources of a broader deterioration in ties.

However, while US dissatisfaction with Chinese behaviour in cyberspace plays a large role in how the United States views China overall, China’s concerns about US behaviour in cyberspace play a substantially more modest role in shaping how China views the United States overall, which may help explain why the two sides have had limited success in sustaining dialogue over the issue to date.

The United States and China initiated a formal bilateral dialogue on cyberspace in 2013, but the Chinese cut off this dialogue in 2014, after the United States indicted five People’s Liberation Army officers for conducting cyber espionage against US targets.

While the bilateral Cyber Working Group appears to have been abandoned as an approach, discussions on cyberspace issues did occur at the bilateral Strategic and Economic Dialogue in the summer of 2015, and an initial agreement to move forward on the issue took centre stage on the outcomes list of the Xi-Obama summit held in Washington in September 2015.

Questions persist

Still, substantial questions persist about the two nations’ relationship in cyberspace.

In the absence of a set of fully fleshed-out norms and procedures to modulate troublesome activity and set rules for cyberspace, the issue will continue to represent a substantial risk to the bilateral relationship, regional peace and stability, and global order.

US perspective

From the US perspective, three issues dominate.

The primary complaint has been with China’s multiple and repeated intrusions into corporate networks to steal intellectual property and proprietary business information.

A second concern has been the growing penetration of US systems through cyberspace for traditional espionage purposes related to national security (e.g., the penetration of the Office of Personnel Management revealed in mid-2015, possibly for the purpose of compiling enormous databases on US citizens – and also, potentially, their Chinese contacts – for potential recruitment or blackmail).

A third US concern is over the prospect that China might be prepared to use a cyberattack to take down US critical infrastructure during a crisis.

A fourth concern is the lack of clarity over each side’s use of cyberattack in warfare and the risk in escalation.

China’s perspective

For its part, China decries US accusations of hacking and proclaims that it is itself a victim of cyberattacks coming from the United States. Chinese officials and commentators complain about US restrictions on market access for Chinese telecommunications firms such as Huawei and ZTE Corporation.

Chinese commentaries also bemoan US funding of internet censorship–circumvention technology and argue for the right of states to control the information that individuals can access within their boundaries (a notion known as cyber sovereignty).

China observers also decry US internet “hegemony,” noting that many of the routers and servers, as well as the software used to support the backbone of the internet in China, are produced by and/or controlled by US firms.

Policy questions

Given these divergent views, and in the aftermath of China’s abandonment of formal talks on cybersecurity with the United States, we were drawn to and motivated by several urgent policy questions in writing this report.

1. Can the United States and China achieve meaningful outcomes through formal negotiations over norms and rules in cyberspace?

2. If meaningful negotiations are possible, what areas are most likely to yield agreement and what might be exchanged for what?

3. What are the feasible paths to getting to useful agreements over norms in cyberspace?

The analysis in Getting to Yes with China in Cyberspace should be of interest to two communities: those concerned with US relations with China, and those concerned with developing norms of conduct in cyberspace, notably those that enhance security and freedom.

Key Findings of the analysis

Chinese and US views of cybersecurity have very little overlap.

The United States and China have very different perspectives on cyberspace. The United States emphasizes extending the rule of law internationally. China stresses the maintenance of state sovereignty.

The most important US interest on the bilateral agenda is for China to eliminate espionage for commercial gain and modulate its other cyber-espionage activities. The hack of the Office of Personnel Management was a particular sore point.

Within the bilateral relationship, the United States places more importance on cyberspace issues than China does. Chinese behaviour in cyberspace is often the top item on the bilateral agenda; U.S. behaviour in cyberspace rarely makes China's top-ten list.

How a set of norms could be negotiated

Avoiding targeting or carrying out espionage on critical infrastructure provides prospects for negotiating a set of norms

The Chinese appear interested in norms against countries attacking one another's critical infrastructure. They also understand that such a norm would also have to forbid espionage against critical infrastructure (distinguishing espionage from implanting attacks is very hard).

The United States believes it can catch the Chinese cheating and would like some process by which cheating, once discovered, is acknowledged — with possible consequences to follow.

The Chinese believe they are unlikely to catch cheating by the United States and are apprehensive of any agreement that would put them at a corresponding disadvantage.

Any serious agreement would need a process that both sides could trust and may require some way to increase China's confidence in its own attribution capabilities.

The United States should negotiate with China over cyber rules by linking the issue more directly to the broader health of the overall relationship between the two countries.

China and the United States could possibly achieve progress in cybersecurity negotiations by means of an agreement that would have both countries refrain from attacking each other's critical infrastructure or carrying out cyber espionage that could leave behind implants that could facilitate such attacks.

The United States might consider assisting China by sharing insights into attribution if, in exchange, China would to agree to common evidentiary standards and credibly commit to prosecuting those found to have violated them. Such an agreement would require some mutually approved method of determining when one or the other side had violated its part of the bargain in ways that would have the guilty party accord legitimacy to such findings and admit what it has done.

The United States may need to simultaneously incentivize China to come to and stay at the bargaining table by raising the costs if China continues its economically motivated cyber-espionage activities, while exploring the potential role of a quid pro quo in facilitating agreements that can be monitored.